VMware View 4.6 PCoIP Secure Gateway Troubleshooting

Following on from a recent VMware View 4.5 to 4.6 upgrade I thought I would include a list of the resources I used to troubleshoot connectivity issues.

First off read the View 4.6 Upgrades guide, this lists out the steps required to upgrade all components of the View infrastructure including how to upgrade the View Transfer server, the Composer server etc.My own upgrade was with a single connection server, a security server, a vCenter Server with View Composer and the Active Directory back-end servers.
If you follow the instructions in this guide then the upgrade process should be relatively painless.

The key steps are

Make backups and record various configuration and system settings

Halt scheduled tasks.

If end users are using View 3.1.x or 4.0.x Client with Offline Desktop or View 4.5 Client with Local Mode, ask them to check in their View desktops.

The View Security Server has to be Windows Server 2008 R2, which is a 64-bit server. The connection server can remain Windows Server 2003 32-bit or you can upgrade it to 64-bit version of Server 2003 or 2008.

When configuring the PCoIP secure gateway element you can either install this on the View Connection server or on the View Security Server which can then be installed in a DMZ. The upgrade wizard will prompt for the external PCoIP secure gateway server settings during setup, ensure you enter externally accessible information in here. When you pair the security server to the connection server this information will appear in the connection server web interface. Now all you need to do is go into the view connection server settings and enable the PCoIP Secure Gateway server option.

If you pair a Windows 2003 connection server with a PCoIP server you may get this error after enabling PCoIP support. Warning: This connection server or one of its paired security servers does not have a PCoIP Secure Gateway installed. Ensure that this configuration is correct for your intended use of PCoIP.

This is normal as the 32-bit connection server doesn’t understand the PCoIP element of the View Secure Gateway as it doesn’t have that role installed. It will work fine.

Provided all these steps have been followed the security server should be working as expected.
If not check the following firewall ports are correctly configured.

PCoIP between View Client and Security Server

TCP 4172 from Client to Security Server

UDP 4172 from Client to Security Server

UDP 4172 from Security Server to Client

TCP 443 from Client to Security Server

UDP 443 from Client to Security Server

TCP 80 from Client to Security Server (If not using SSL, not recommended)

UDP 80 from Client to Security Server (If not using SSL, not recommended)

PCoIP between Security Server and virtual desktop

TCP 4172 from Security Server to virtual desktop

UDP 4172 from Security Server to virtual desktop

UDP 4172 from virtual desktop to Security Server

Useful Links

Edit: I have removed the links to Paul Slager’s website as this site contains malware

vMotion CPU Compatibility

vMotion has quite a few requirements that need to be in place before it will work correctly. Here is a list of the key requirements for vMotion to work.

Each host must be correctly licensed

Each host must meet shared storage requirements

Each host must meet the networking requirements

Each compatible CPU must be from the same family

When configuring vMotion between hosts I would recommend keeping to one brand of server per cluster, i.e. Dell, HP, IBM. Also always ensure that these servers are compatible with each other. You can confirm this by speaking to the server manufacturer.
A very important item to consider is to always ensure you are using the latest BIOS version on each of your hosts.

Ensuring that the CPU’s are compatible with each other is essential for vMotion to work successfully, this is because the host that the virtual machine migrates to has to be capable of carrying on any instructions that the first host was running.
If a virtual machine is successfully running an application on one host and you migrate it to another host without these capabilities the application would most likely crash, possibly even the whole server would crash, hence why vMotion compatibility is required between hosts before you can migrate a running virtual machine.

It is user-level instructions that bypass the virtualisation layer such as Streaming SIMD Extensions (SSE), SSE2 SSSE3, SSE4.1 and Advanced Encryption Standard (AES) Instruction Sets that can differ greatly between CPU models and families of processors, and so can cause application instability after the migration.

Always ensure that all hardware is on the VMware compatibility guide.
To confirm compatibility between same family CPU models check the charts below.

This is a chart from Dell showing which Intel CPU’s support vMotion.

This second chart also from Dell illustrates which AMD processors support vMotion

VMware View 4.6 Overview

VMware View 4.6

VMware View 4.6 is out, and with it come new features. A full list of improvements is available here.

In the words of VMware, VMware View is the leading desktop virtualisation solution. It provides a virtualised desktop infrastructure which can leverage existing virtual infrastructures and provide a cost effective centrally managed desktop deployment.

VMware View offers the ability for desktop administrators to virtualize the operating system, applications, and user data and deliver modern desktops to end-users.

View Manager

VMware View Manager is an enterprise-class virtual desktop manager, and a critical component of VMware View.

IT administrators use VMware View Manager as a central point of control for providing end-users with secure, flexible access to their virtual desktops and applications, leveraging tight integration with VMware vSphere to help customers deliver desktops as a secure, managed service. Extremely scalable and robust, a single instance VMware View Manager can broker and monitor tens of thousands of virtual desktops at once, using the intuitive Web-based administrative interface for creating and updating desktop images, managing user data, enforcing global policies, and more.

Ok, so that’s the official description, but how does it all fit together?
VMware View is made up of the following core components.

View Manager Components

VMware View Agent—Provides session management and single sign-on capabilities.VMware View Client—Enables end-users on PCs and thin clients to connect to their virtual desktops through the VMware View Connection Server.
Use View Client with Local Mode to access virtual desktops even when disconnected without compromising on IT policies.VMware vCenter Server with View composer —Enables administrators to make configuration settings, manage virtual desktops and set entitlements of desktops and assignment of applications.View transfer server – to transfer desktops to client PC’s and laptops with offline mode.View Security Server – A View Security Server (in a DMZ) is also an option. This will allow RDP and PCoIP connections over the WAN.

Servers required

View Connection server, preferably two (cannot have any other View roles, use IIS or be a domain controller)

View transfer server for Linked-Clones with Offline Mode (Cannot have any other roles. Can be a physical server)

Database server for events and View Composer database

Optional View Security Server for WAN RDP and PCoIP connectivity

View Composer

View Composer is installed on the vCenter Server, it provides storage-saving linked clones, rapid desktop deployment, quick update, patch management and tiered storage options.
View Composer can utilise Quickprep or Sysprep. System automation tools for creating unique operating system instances in Microsoft Active Directory.
Changes to the master images can be sent out to all linked clones by running a recompose operation. Running a refresh operation on a linked clone synchronises it with the master image.
This is useful if users are experiencing issues with their linked clone, it is a way of setting it back to default.
Each user in a linked clone can have their own persistent data disk which will contain all of their unique user data, documents and settings.

Linked-Clones with Offline Mode

A linked clone is made from a snapshot of the parent. All files available on the parent at the moment of the snapshot continue to remain available to the linked clone. On-going changes to the virtual disk of the parent do not affect the linked clone, and changes to the disk of the linked clone do not affect the parent. This provides a secure master template machine that can be used to create additional clones.

A linked clone must have access to the parent. Without access to the parent, a linked clone is disabled.

Offline mode allows users to check out the desktop and use it on a PC or laptop, for instance when travelling on a train and then check it back in and synchronise the changes when returning to the office.

VMware ThinApp

ThinApp simplifies application delivery by encapsulating applications in portable packages that can be deployed to many end point devices while isolating applications from each other and the underlying operating system.

ThinApp virtualizes applications by encapsulating application files and registry into a single ThinApp package that can be deployed, managed and updated independently from the underlying operating system (OS). The virtualized applications do not make any changes to the underlying OS and continue to behave the same across different configurations for compatibility, consistent end-user experiences, and ease of management.

PCoIP

PCoIP supports WAN connections with less than 100kbps peak bandwidth with up to 250ms of latency however I recommend a minimum 1Mbps upload speed across the WAN with less than 150ms of latency.
PCoIP sessions average bandwidth for an active office worker may be in the 80-150kbps range. This drops to nearly zero when not in use.
It is recommended that the infrastructure is using an offload card as PCoIP rendering is fairly resource intensive on the hosting server.
A PCoIP security gateway removes the need for a VPN connection. This became available in the latest VMware View 4.6 release.
Modern thin client devices like the zero clients from Wyse are designed specifically for connecting to a virtual desktop environment, these devices support PCoIP out of the box with no major configuration required to connect them to the virtual desktop infrastructure.

vShield Endpoint

vShield Endpoint provides an API to allow third party anti-virus vendors a way of scanning machines at the Hypervisor level, rather than at the individual virtual machine level, removing unnecessary load from the individual clients.

In the future this will be the standard way that anti virus scanning will be completed with virtual desktop infrastructure, and server infrastructure also. The current offerings are from Trend-Micro only which is limited to scanning 15 machines per virtual appliance. But future developments from other providers may support more virtual machines.

vShield Endpoint is included in the cost of VMware View Premier.

ThinPrint

ThinPrint allows a view client to utilise the print devices installed on the connecting client machine so that a user can seamlessly print to their default local printer without having to install any drivers.

Licensing

View Licensing

VMware View is available using two licensing models, Enterprise and Premier. The differences between the two are illustrated in the table below.

Microsoft Licensing

Windows 7 requires a KMS server for automatic server provisioning. This can be a 2003, 2008 and a 2008 R2 server however they have the following caveats.

Must have at least 5 Servers checked in for server activation to occur or 25 Windows 7 or Vista machines checked in for client activation to occur.

Windows Server 2008 is not supported as a KMS host to activate Windows 7 and Office 2010.